fix(build): use execFileSync (no shell) in build scripts to resolve CodeQL shell-injection alerts

Replace string-form execSync invocations with array-form execFileSync (no
shell) at two build-tooling call sites flagged by CodeQL
js/shell-command-injection-from-environment:

- scripts/build-modules.js: prettier --write now runs via
  execFileSync(process.execPath, [require.resolve("prettier/bin/prettier.cjs"),
  "--write", join(BUILTIN_DIR, "*.js")]). Prettier expands the glob itself, so
  no shell parses the interpolated path.
- scripts/bash-bundle/build.mjs: esbuild now runs via
  execFileSync(process.execPath, [require.resolve("esbuild/bin/esbuild"), ...])
  with each flag/value as its own array element (aliasArgs kept as an array
  instead of space-joined). Same flags, aliases, --minify, --tree-shaking, and
  outfile — behaviour is identical.

Build tooling only; generated artifacts are unchanged byte-for-byte. Resolves
CodeQL alerts #2 and #11.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>

Author: simongdavies

scripts/bash-bundle/build.mjs

@@ -8,12 +8,14 @@
 //
 // Prerequisites: npm install (just-bash and esbuild must be in node_modules)
 
-import { execSync } from "node:child_process";
+import { execFileSync } from "node:child_process";
 import { readFileSync, writeFileSync, existsSync, unlinkSync } from "node:fs";
 import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
+import { createRequire } from "node:module";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
+const require = createRequire(import.meta.url);
 const repoRoot = join(__dirname, "..", "..");
 const outFile = join(repoRoot, "builtin-modules", "bash.js");
 
@@ -50,17 +52,27 @@ const aliasArgs = [
   `--alias:node-liblzma=${join(stubDir, "liblzma-stub.mjs")}`,
   `--alias:@mongodb-js/zstd=${join(stubDir, "zstd-stub.mjs")}`,
   `--alias:sql.js=${join(stubDir, "sqljs-stub.mjs")}`,
-].join(" ");
+];
 
 const tmpBundle = join(stubDir, "_tmp_bundle.js");
 
-execSync(
-  `npx esbuild ${entryFile} ` +
-    `--bundle --format=esm --platform=neutral --target=es2020 ` +
-    `--main-fields=module,main ` +
-    `${aliasArgs} ` +
-    `--outfile=${tmpBundle} ` +
-    `--minify --tree-shaking=true`,
+// Invoke esbuild without a shell (execFileSync + args array) so no argument
+// can be reinterpreted by a shell. Each flag/value is its own array element.
+execFileSync(
+  process.execPath,
+  [
+    require.resolve("esbuild/bin/esbuild"),
+    entryFile,
+    "--bundle",
+    "--format=esm",
+    "--platform=neutral",
+    "--target=es2020",
+    "--main-fields=module,main",
+    ...aliasArgs,
+    `--outfile=${tmpBundle}`,
+    "--minify",
+    "--tree-shaking=true",
+  ],
   { stdio: "inherit", cwd: repoRoot },
 );
 

scripts/build-modules.js

@@ -12,12 +12,14 @@
  * 7. Regenerates host-modules.d.ts
  */
 
-import { execSync } from "child_process";
+import { execSync, execFileSync } from "child_process";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";
+import { createRequire } from "module";
 import { existsSync, unlinkSync, readdirSync, statSync } from "fs";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
+const require = createRequire(import.meta.url);
 const ROOT = join(__dirname, "..");
 const BUILTIN_DIR = join(ROOT, "builtin-modules");
 const PLUGINS_DIR = join(ROOT, "plugins");
@@ -68,10 +70,20 @@ execSync("npx tsx scripts/generate-ha-modules-dts.ts", {
 });
 
 // Step 4: Format with Prettier
-execSync(`prettier --write "${BUILTIN_DIR}/*.js"`, {
-  cwd: ROOT,
-  stdio: "inherit",
-});
+// Invoke prettier without a shell (execFileSync) so the interpolated path
+// can't be interpreted as a shell command. Prettier expands the glob itself.
+execFileSync(
+  process.execPath,
+  [
+    require.resolve("prettier/bin/prettier.cjs"),
+    "--write",
+    join(BUILTIN_DIR, "*.js"),
+  ],
+  {
+    cwd: ROOT,
+    stdio: "inherit",
+  },
+);
 
 console.log("\nUpdating module hashes...");
 
@@ -161,5 +173,4 @@ execSync("npx tsx scripts/generate-host-modules-dts.ts", {
   stdio: "inherit",
 });
 
-
 console.log("✓ Build complete");